mozilla · g-k · Mar 6, 2020 · Mar 6, 2020 · Mar 6, 2020 · Mar 7, 2020
diff --git a/CHANGES b/CHANGES
@@ -10,6 +10,14 @@ Next
 - Drop support for EOL Python <3.6 and Django <2.2 versions
 - Rename default branch to main
 - Fix capturing brackets in script template tags
+- Add support for multiple content security policies
+- Deprecate single policy settings.  Policies are now
+  configured through two settings: CSP_POLICIES and CSP_POLICY_DEFINITIONS.
+- Fix CSP_EXCLUDE_URL_PREFIXES: previously this would error unless it was a
+  single string. NOTE: Like other settings, CSP_EXCLUDE_URL_PREFIXES is now
+  configured per policy in CSP_POLICY_DEFINITIONS under the key
+  exclude_url_prefixes.
+- The block-all-mixed-content directive has been deprecated as it's now obsolete.
 
 3.7
 ===

diff --git a/csp/conf/__init__.py b/csp/conf/__init__.py
@@ -0,0 +1,57 @@
+__all__ = [
+    'defaults',
+    'deprecation',
+    'directive_to_setting',
+    'get_declared_policies',
+    'get_declared_policy_definitions',
+    'setting_to_directive',
+    'DIRECTIVES',
+]
+
+from django.conf import settings
+
+from . import defaults
+from .deprecation import (
+    directive_to_setting,
+    setting_to_directive,
+    _handle_legacy_settings,
+)
+
+
+DIRECTIVES = defaults.DIRECTIVES
+PSEUDO_DIRECTIVES = defaults.PSEUDO_DIRECTIVES
+
+
+def _csp_definitions_update(csp_definitions, other):
+    """ Update one csp definitions dictionary with another """
+    if isinstance(other, dict):
+        other = other.items()
+    for name, csp in other:
+        csp_definitions.setdefault(name, {}).update(csp)
+    return csp_definitions
+
+
+def get_declared_policy_definitions():
+    custom_definitions = _csp_definitions_update(
+        {},
+        getattr(
+            settings,
+            'CSP_POLICY_DEFINITIONS',
+            {'default': {}},
+        ),
+    )
+    _handle_legacy_settings(
+        custom_definitions['default'],
+        allow_legacy=not hasattr(settings, 'CSP_POLICY_DEFINITIONS'),
+    )
+    definitions = _csp_definitions_update(
+        {},
+        {name: defaults.POLICY for name in custom_definitions}
+    )
+    for name, csp in custom_definitions.items():
+        definitions.setdefault(name, {}).update(csp)
+    return definitions
+
+
+def get_declared_policies():
+    return getattr(settings, 'CSP_POLICIES', defaults.POLICIES)
diff --git a/csp/conf/defaults.py b/csp/conf/defaults.py
@@ -0,0 +1,47 @@
+POLICIES = ('default',)
+
+POLICY = {
+    # Fetch Directives
+    'child-src': None,
+    'connect-src': None,
+    'default-src': ("'self'",),
+    'script-src': None,
+    'script-src-attr': None,
+    'script-src-elem': None,
+    'object-src': None,
+    'style-src': None,
+    'style-src-attr': None,
+    'style-src-elem': None,
+    'font-src': None,
+    'frame-src': None,
+    'img-src': None,
+    'manifest-src': None,
+    'media-src': None,
+    'prefetch-src': None,
+    'worker-src': None,
+    # Document Directives
+    'base-uri': None,
+    'plugin-types': None,
+    'sandbox': None,
+    # Navigation Directives
+    'form-action': None,
+    'frame-ancestors': None,
+    'navigate-to': None,
+    # Reporting Directives
+    'report-uri': None,
+    'report-to': None,
+    'require-sri-for': None,
+    # Trusted Types Directives
+    'require-trusted-types-for': None,
+    'trusted-types': None,
+    # Other Directives
+    'upgrade-insecure-requests': False,
+    'block-all-mixed-content': False,  # Obsolete
+    # Pseudo Directives
+    'report_only': False,
+    'include_nonce_in': ('default-src',),
+    'exclude_url_prefixes': (),
+}
+
+DIRECTIVES = set(POLICY)
+PSEUDO_DIRECTIVES = {d for d in DIRECTIVES if '_' in d}
diff --git a/csp/conf/deprecation.py b/csp/conf/deprecation.py
@@ -0,0 +1,70 @@
+import warnings
+
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
+
+from . import defaults
+
+
+BLOCK_ALL_MIXED_CONTENT_DEPRECATION_WARNING = (
+    "block-all-mixed-content is obsolete. "
+    "All mixed content is now blocked if it can't be autoupgraded."
+)
+
+LEGACY_SETTINGS_NAMES_DEPRECATION_WARNING = (
+    'The following settings are deprecated: %s. '
+    'Use CSP_POLICY_DEFINITIONS and CSP_POLICIES instead.'
+)
+
+
+def setting_to_directive(setting, value, prefix='CSP_'):
+    setting = setting[len(prefix):].lower()
+    if setting not in defaults.PSEUDO_DIRECTIVES:
+        setting = setting.replace('_', '-')
+    assert setting in defaults.DIRECTIVES
+    if isinstance(value, str):
+        value = [value]
+    return setting, value
+
+
+def directive_to_setting(directive, prefix='CSP_'):
+    setting = '{}{}'.format(
+        prefix,
+        directive.replace('-', '_').upper()
+    )
+    return setting
+
+
+_LEGACY_SETTINGS = {
+    directive_to_setting(directive) for directive in defaults.DIRECTIVES
+}
+
+
+def _handle_legacy_settings(csp, allow_legacy):
+    """
+    Custom defaults allow you to set values for csp directives
+    that will apply to all CSPs defined in CSP_DEFINITIONS, avoiding
+    repetition and allowing custom default values.
+    """
+    legacy_names = (
+        _LEGACY_SETTINGS
+        & set(s for s in dir(settings) if s.startswith('CSP_'))
+    )
+    if not legacy_names:
+        return
+
+    if not allow_legacy:
+        raise ImproperlyConfigured(
+            "Setting CSP_POLICY_DEFINITIONS is not allowed with the following "
+            "deprecated settings: %s" % ", ".join(legacy_names)
+        )
+
+    warnings.warn(
+        LEGACY_SETTINGS_NAMES_DEPRECATION_WARNING % ', '.join(legacy_names),
+        DeprecationWarning,
+    )
+    legacy_csp = (
+        setting_to_directive(name, value=getattr(settings, name))
+        for name in legacy_names if name not in csp
+    )
+    csp.update(legacy_csp)
diff --git a/csp/contrib/rate_limiting.py b/csp/contrib/rate_limiting.py
@@ -3,23 +3,20 @@
 from django.conf import settings
 
 from csp.middleware import CSPMiddleware
-from csp.utils import build_policy
 
 
 class RateLimitedCSPMiddleware(CSPMiddleware):
     """A CSP middleware that rate-limits the number of violation reports sent
     to report-uri by excluding it from some requests."""
 
-    def build_policy(self, request, response):
-        config = getattr(response, '_csp_config', None)
-        update = getattr(response, '_csp_update', None)
-        replace = getattr(response, '_csp_replace', {})
-        nonce = getattr(request, '_csp_nonce', None)
+    def get_build_kwargs(self, request, response):
+        build_kwargs = super().get_build_kwargs(request, response)
+        replace = build_kwargs['replace'] or {}
 
         report_percentage = getattr(settings, 'CSP_REPORT_PERCENTAGE')
         include_report_uri = random.random() < report_percentage
         if not include_report_uri:
             replace['report-uri'] = None
+        build_kwargs['replace'] = replace
 
-        return build_policy(config=config, update=update, replace=replace,
-                            nonce=nonce)
+        return build_kwargs
diff --git a/csp/decorators.py b/csp/decorators.py
@@ -1,4 +1,11 @@
 from functools import wraps
+from itertools import chain
+
+from .utils import (
+    get_declared_policies,
+    _policies_from_args_and_kwargs,
+    _policies_from_names_and_kwargs,
+)
 
 
 def csp_exempt(f):
@@ -10,8 +17,25 @@ def _wrapped(*a, **kw):
     return _wrapped
 
 
-def csp_update(**kwargs):
-    update = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items())
+def csp_select(*names):
+    """
+    Trim or add additional named policies.
+    """
+    def decorator(f):
+        @wraps(f)
+        def _wrapped(*a, **kw):
+            r = f(*a, **kw)
+            r._csp_select = names
+            return r
+        return _wrapped
+    return decorator
+
+
+def csp_update(csp_names=('default',), **kwargs):
+    update = _policies_from_names_and_kwargs(
+        csp_names,
+        kwargs,
+    )
 
     def decorator(f):
         @wraps(f)
@@ -23,8 +47,11 @@ def _wrapped(*a, **kw):
     return decorator
 
 
-def csp_replace(**kwargs):
-    replace = dict((k.lower().replace('_', '-'), v) for k, v in kwargs.items())
+def csp_replace(csp_names=('default',), **kwargs):
+    replace = _policies_from_names_and_kwargs(
+        csp_names,
+        kwargs,
+    )
 
     def decorator(f):
         @wraps(f)
@@ -36,12 +63,43 @@ def _wrapped(*a, **kw):
     return decorator
 
 
-def csp(**kwargs):
-    config = dict(
-        (k.lower().replace('_', '-'), [v] if isinstance(v, str) else v)
-        for k, v
-        in kwargs.items()
-    )
+def csp_append(*args, **kwargs):
+    append = _policies_from_args_and_kwargs(args, kwargs)
+
+    def decorator(f):
+        @wraps(f)
+        def _wrapped(*a, **kw):
+            r = f(*a, **kw)
+            # TODO: these decorators would interact more smoothly and
+            # be more performant if we recorded the result on the function.
+            if hasattr(r, "_csp_config"):
+                r._csp_config.update({
+                    name: policy for name, policy in append.items()
+                    if name not in r._csp_config
+                })
+                select = getattr(r, "_csp_select", None)
+                if select:
+                    select = list(select)
+                    r._csp_select = tuple(chain(
+                        select,
+                        (name for name in append if name not in select),
+                    ))
+            else:
+                r._csp_config = append
+                select = getattr(r, "_csp_select", None)
+                if not select:
+                    select = get_declared_policies()
+                r._csp_select = tuple(chain(
+                    select,
+                    (name for name in append if name not in select),
+                ))
+            return r
+        return _wrapped
+    return decorator
+
+
+def csp(*args, **kwargs):
+    config = _policies_from_args_and_kwargs(args, kwargs)
 
     def decorator(f):
         @wraps(f)